2022-05-18 12:03:14 +00:00
---
layout: article
title: Column Level Security
2022-05-18 13:42:46 +00:00
description: Column Level Security prevents end users from viewing or editing specific columns in SAS according to their group membership.
2022-05-18 12:03:14 +00:00
og_image: https://docs.datacontroller.io/img/rls_table.png
---
2022-05-20 15:26:02 +00:00
!!! warning
In development - coming soon!
2022-05-18 12:03:14 +00:00
# Column Level Security
2022-05-18 13:42:46 +00:00
Column level security is implemented by mapping _allowed_ columns to a list of SAS groups. In VIEW mode, only allowed columns are visible. In EDIT mode, allowed columns are _editable_ - the remaining columns are read-only.
2022-05-18 12:03:14 +00:00
## Configuration
2022-05-18 13:42:46 +00:00
The variables in MPE_COLUMN_LEVEL_SECURITY should be configured as follows:
2022-05-18 12:03:14 +00:00
### CLS_SCOPE
2022-07-02 16:47:11 +00:00
Determines whether the rule applies to the VIEW page, the EDIT page, or ALL pages. The impact of the rule varies as follows:
#### VIEW Scope
When `CLS_SCOPE in ('VIEW','ALL')` then only the listed columns are _visible_ (unless `CLS_HIDE=1` )
#### EDIT Scope
When `CLS_SCOPE in ('EDIT','ALL')` then only the listed columns are _editable_ (the remaining columns are read-only, and visible). Furthermore:
* The user will be unable to ADD or DELETE records.
* Primary Key values are always read only
* Primary Key values cannot be hidden (`CLS_HIDE=1` will have no effect)
2022-05-18 12:03:14 +00:00
### CLS_GROUP
The SAS Group to which the rule applies. The user could also be a member of a [DC group ](/dcc-groups ).
- If a user is in ANY of the groups, the columns will be restricted.
- If a user is in NONE of the groups, no restrictions apply (all columns available).
- If a user is in MULTIPLE groups, they will see all allowed columns across all groups.
### CLS_LIBREF
The library of the target table against which the security rule will be applied
### CLS_TABLE
The target table against which the security rule will be applied
### CLS_VARIABLE_NM
2022-07-02 16:47:11 +00:00
This is the name of the variable against which the security rule will be applied. Note that
2022-05-18 12:03:14 +00:00
### CLS_ACTIVE
If you would like this rule to be applied, be sure this value is set to 1.
2022-06-09 20:07:10 +00:00
### CLS_HIDE
This variable can be set to `1` to _hide_ specific variables, which allows greater control over the EDIT screen in particular. CLS_SCOPE behaviour is impacted as follows:
* `ALL` - the variable will not be visible in either VIEW or EDIT.
2022-07-02 16:47:11 +00:00
* `EDIT` - the variable will not be visible. **Cannot be applied to a primary key column** .
2022-06-09 20:07:10 +00:00
* `VIEW` - the variable will not be visible. Can be applied to a primary key column. Simply omitting the row, or setting CLS_ACTIVE to 0, would result in the same behaviour.
2022-05-18 12:03:14 +00:00
## Example Config
Example values as follows:
2022-06-09 20:07:10 +00:00
|CLS_SCOPE:$4|CLS_GROUP:$64|CLS_LIBREF:$8| CLS_TABLE:$32|CLS_VARIABLE_NM:$32|CLS_ACTIVE:8.|CLS_HIDE:8.|
|---|---|---|---|---|---|---|
|EDIT|Group 1|MYLIB|MYDS|VAR_1|1||
|ALL|Group 1|MYLIB|MYDS|VAR_2|1||
|ALL|Group 2|MYLIB|MYDS|VAR_3|1||
|VIEW|Group 1|MYLIB|MYDS|VAR_4|1||
|EDIT|Group 1|MYLIB|MYDS|VAR_5|1|1|
2022-05-18 12:03:14 +00:00
2022-05-20 15:26:02 +00:00
If a user is in Group 1, and viewing `MYLIB.MYDS` in EDIT mode, **all** columns will be visible but only the following columns will be editable:
2022-05-18 12:03:14 +00:00
* VAR_1
* VAR_2
2022-05-20 15:26:02 +00:00
The user will be unable to add or delete rows.
If the user is in both Group 1 AND Group 2, viewing `MYLIB.MYDS` in VIEW mode, **only** the following columns will be visible:
2022-05-18 12:03:14 +00:00
* VAR_2
* VAR_3
2022-05-20 15:26:02 +00:00
* VAR_4
