2022-05-18 12:03:14 +00:00
---
layout: article
title: Column Level Security
2022-05-18 13:42:46 +00:00
description: Column Level Security prevents end users from viewing or editing specific columns in SAS according to their group membership.
2022-07-09 22:35:24 +00:00
og_image: https://docs.datacontroller.io/img/cls_table.png
2022-05-18 12:03:14 +00:00
---
# Column Level Security
2022-05-18 13:42:46 +00:00
Column level security is implemented by mapping _allowed_ columns to a list of SAS groups. In VIEW mode, only allowed columns are visible. In EDIT mode, allowed columns are _editable_ - the remaining columns are read-only.
2022-05-18 12:03:14 +00:00
2022-07-09 22:48:49 +00:00
Below is an example of an EDIT table with only one column enabled for editing:
![lockanytable example ](/img/cls_example.png )
2022-05-18 12:03:14 +00:00
## Configuration
2022-05-18 13:42:46 +00:00
The variables in MPE_COLUMN_LEVEL_SECURITY should be configured as follows:
2022-05-18 12:03:14 +00:00
### CLS_SCOPE
2022-07-02 16:47:11 +00:00
Determines whether the rule applies to the VIEW page, the EDIT page, or ALL pages. The impact of the rule varies as follows:
#### VIEW Scope
When `CLS_SCOPE in ('VIEW','ALL')` then only the listed columns are _visible_ (unless `CLS_HIDE=1` )
#### EDIT Scope
When `CLS_SCOPE in ('EDIT','ALL')` then only the listed columns are _editable_ (the remaining columns are read-only, and visible). Furthermore:
* The user will be unable to ADD or DELETE records.
2022-07-09 22:35:24 +00:00
* Primary Key values are always read only
2022-07-02 16:47:11 +00:00
* Primary Key values cannot be hidden (`CLS_HIDE=1` will have no effect)
2022-05-18 12:03:14 +00:00
### CLS_GROUP
2022-07-09 22:35:24 +00:00
The SAS Group to which the rule applies. The user could also be a member of a [DC group ](/dcc-groups ).
2022-05-18 12:03:14 +00:00
2022-07-09 22:35:24 +00:00
- If a user is in ANY of the groups, the columns will be restricted.
2022-05-18 12:03:14 +00:00
- If a user is in NONE of the groups, no restrictions apply (all columns available).
- If a user is in MULTIPLE groups, they will see all allowed columns across all groups.
2022-07-09 22:48:49 +00:00
- If a user is in the [Data Controller Admin Group ](/dcc-groups/#data-controller-admin-group ), CLS rules DO NOT APPLY.
2022-05-18 12:03:14 +00:00
### CLS_LIBREF
The library of the target table against which the security rule will be applied
### CLS_TABLE
The target table against which the security rule will be applied
### CLS_VARIABLE_NM
2022-07-09 22:35:24 +00:00
This is the name of the variable against which the security rule will be applied. Note that
2022-05-18 12:03:14 +00:00
### CLS_ACTIVE
If you would like this rule to be applied, be sure this value is set to 1.
2022-06-09 20:07:10 +00:00
### CLS_HIDE
This variable can be set to `1` to _hide_ specific variables, which allows greater control over the EDIT screen in particular. CLS_SCOPE behaviour is impacted as follows:
* `ALL` - the variable will not be visible in either VIEW or EDIT.
2022-07-02 16:47:11 +00:00
* `EDIT` - the variable will not be visible. **Cannot be applied to a primary key column** .
2022-06-09 20:07:10 +00:00
* `VIEW` - the variable will not be visible. Can be applied to a primary key column. Simply omitting the row, or setting CLS_ACTIVE to 0, would result in the same behaviour.
2022-07-02 17:37:10 +00:00
It is possible that a variable can have multiple values for CLS_HIDE, eg if a user is in multiple groups, or if different rules apply for different scopes. In this case, if the user is any group where this variable is NOT hidden, then it will be displayed.
2022-05-18 12:03:14 +00:00
## Example Config
Example values as follows:
2022-06-09 20:07:10 +00:00
|CLS_SCOPE:$4|CLS_GROUP:$64|CLS_LIBREF:$8| CLS_TABLE:$32|CLS_VARIABLE_NM:$32|CLS_ACTIVE:8.|CLS_HIDE:8.|
|---|---|---|---|---|---|---|
|EDIT|Group 1|MYLIB|MYDS|VAR_1|1||
|ALL|Group 1|MYLIB|MYDS|VAR_2|1||
|ALL|Group 2|MYLIB|MYDS|VAR_3|1||
|VIEW|Group 1|MYLIB|MYDS|VAR_4|1||
|EDIT|Group 1|MYLIB|MYDS|VAR_5|1|1|
2022-05-18 12:03:14 +00:00
2022-05-20 15:26:02 +00:00
If a user is in Group 1, and viewing `MYLIB.MYDS` in EDIT mode, **all** columns will be visible but only the following columns will be editable:
2022-05-18 12:03:14 +00:00
* VAR_1
* VAR_2
2022-05-20 15:26:02 +00:00
The user will be unable to add or delete rows.
If the user is in both Group 1 AND Group 2, viewing `MYLIB.MYDS` in VIEW mode, **only** the following columns will be visible:
2022-05-18 12:03:14 +00:00
* VAR_2
* VAR_3
2022-05-20 15:26:02 +00:00
* VAR_4