docs.datacontroller.io/docs/column-level-security.md

---
layout: article
title: Column Level Security
description: Column Level Security prevents end users from viewing or editing specific columns in SAS according to their group membership.
og_image:  https://docs.datacontroller.io/img/rls_table.png
---

!!! warning
    In development - coming soon!

# Column Level Security

Column level security is implemented by mapping _allowed_ columns to a list of SAS groups. In VIEW mode, only allowed columns are visible.  In EDIT mode, allowed columns are _editable_ - the remaining columns are read-only.

## Configuration

The variables in MPE_COLUMN_LEVEL_SECURITY should be configured as follows:

### CLS_SCOPE
Determines whether the rule applies to the VIEW page, the EDIT page, or ALL pages.  

- When applied to VIEW, then only allowed columns are _visible_
- When applied to EDIT, then only allowed columns are _editable_ (the remaining columns are read-only, and visible).  When CLS is applied in EDIT mode, the user will not be able to ADD or DELETE records.

### CLS_GROUP
The SAS Group to which the rule applies.  The user could also be a member of a [DC group](/dcc-groups). 

 - If a user is in ANY of the groups, the columns will be restricted.  
 - If a user is in NONE of the groups, no restrictions apply (all columns available).
 - If a user is in MULTIPLE groups, they will see all allowed columns across all groups.

### CLS_LIBREF
The library of the target table against which the security rule will be applied

### CLS_TABLE
The target table against which the security rule will be applied

### CLS_VARIABLE_NM
This is the name of the variable against which the security rule will be applied

### CLS_ACTIVE
If you would like this rule to be applied, be sure this value is set to 1.

### CLS_HIDE
This variable can be set to `1` to _hide_ specific variables, which allows greater control over the EDIT screen in particular.  CLS_SCOPE behaviour is impacted as follows:

* `ALL` - the variable will not be visible in either VIEW or EDIT.
* `EDIT` - the variable will not be visible.  Cannot be applied to a primary key column.
* `VIEW` - the variable will not be visible.  Can be applied to a primary key column.  Simply omitting the row, or setting CLS_ACTIVE to 0, would result in the same behaviour.


## Example Config
Example values as follows:

|CLS_SCOPE:$4|CLS_GROUP:$64|CLS_LIBREF:$8| CLS_TABLE:$32|CLS_VARIABLE_NM:$32|CLS_ACTIVE:8.|CLS_HIDE:8.|
|---|---|---|---|---|---|---|
|EDIT|Group 1|MYLIB|MYDS|VAR_1|1||
|ALL|Group 1|MYLIB|MYDS|VAR_2|1||
|ALL|Group 2|MYLIB|MYDS|VAR_3|1||
|VIEW|Group 1|MYLIB|MYDS|VAR_4|1||
|EDIT|Group 1|MYLIB|MYDS|VAR_5|1|1|


If a user is in Group 1, and viewing `MYLIB.MYDS` in EDIT mode, **all** columns will be visible but only the following columns will be editable:

* VAR_1
* VAR_2

The user will be unable to add or delete rows.

If the user is in both Group 1 AND Group 2, viewing `MYLIB.MYDS` in VIEW mode, **only** the following columns will be visible:

* VAR_2
* VAR_3
* VAR_4
feat: column level security 2022-05-18 12:03:14 +00:00			`---`
			`layout: article`
			`title: Column Level Security`
fix: hook script info 2022-05-18 13:42:46 +00:00			`description: Column Level Security prevents end users from viewing or editing specific columns in SAS according to their group membership.`
feat: column level security 2022-05-18 12:03:14 +00:00			`og_image: https://docs.datacontroller.io/img/rls_table.png`
			`---`

Update column-level-security.md 2022-05-20 15:26:02 +00:00			`!!! warning`
			`In development - coming soon!`

feat: column level security 2022-05-18 12:03:14 +00:00			`# Column Level Security`

fix: hook script info 2022-05-18 13:42:46 +00:00			`Column level security is implemented by mapping _allowed_ columns to a list of SAS groups. In VIEW mode, only allowed columns are visible. In EDIT mode, allowed columns are _editable_ - the remaining columns are read-only.`
feat: column level security 2022-05-18 12:03:14 +00:00
			`## Configuration`

fix: hook script info 2022-05-18 13:42:46 +00:00			`The variables in MPE_COLUMN_LEVEL_SECURITY should be configured as follows:`
feat: column level security 2022-05-18 12:03:14 +00:00
			`### CLS_SCOPE`
			`Determines whether the rule applies to the VIEW page, the EDIT page, or ALL pages.`

Update column-level-security.md 2022-05-20 15:26:02 +00:00			`- When applied to VIEW, then only allowed columns are _visible_`
Update column-level-security.md 2022-06-09 20:07:10 +00:00			`- When applied to EDIT, then only allowed columns are _editable_ (the remaining columns are read-only, and visible). When CLS is applied in EDIT mode, the user will not be able to ADD or DELETE records.`
feat: column level security 2022-05-18 12:03:14 +00:00
			`### CLS_GROUP`
			`The SAS Group to which the rule applies. The user could also be a member of a [DC group](/dcc-groups).`

			`- If a user is in ANY of the groups, the columns will be restricted.`
			`- If a user is in NONE of the groups, no restrictions apply (all columns available).`
			`- If a user is in MULTIPLE groups, they will see all allowed columns across all groups.`

			`### CLS_LIBREF`
			`The library of the target table against which the security rule will be applied`

			`### CLS_TABLE`
			`The target table against which the security rule will be applied`

			`### CLS_VARIABLE_NM`
			`This is the name of the variable against which the security rule will be applied`

			`### CLS_ACTIVE`
			`If you would like this rule to be applied, be sure this value is set to 1.`

Update column-level-security.md 2022-06-09 20:07:10 +00:00			`### CLS_HIDE`
			This variable can be set to `1` to _hide_ specific variables, which allows greater control over the EDIT screen in particular. CLS_SCOPE behaviour is impacted as follows:

			* `ALL` - the variable will not be visible in either VIEW or EDIT.
			* `EDIT` - the variable will not be visible. Cannot be applied to a primary key column.
			* `VIEW` - the variable will not be visible. Can be applied to a primary key column. Simply omitting the row, or setting CLS_ACTIVE to 0, would result in the same behaviour.

feat: column level security 2022-05-18 12:03:14 +00:00
			`## Example Config`
			`Example values as follows:`

Update column-level-security.md 2022-06-09 20:07:10 +00:00			`\|CLS_SCOPE:$4\|CLS_GROUP:$64\|CLS_LIBREF:$8\| CLS_TABLE:$32\|CLS_VARIABLE_NM:$32\|CLS_ACTIVE:8.\|CLS_HIDE:8.\|`
			`\|---\|---\|---\|---\|---\|---\|---\|`
			`\|EDIT\|Group 1\|MYLIB\|MYDS\|VAR_1\|1\|\|`
			`\|ALL\|Group 1\|MYLIB\|MYDS\|VAR_2\|1\|\|`
			`\|ALL\|Group 2\|MYLIB\|MYDS\|VAR_3\|1\|\|`
			`\|VIEW\|Group 1\|MYLIB\|MYDS\|VAR_4\|1\|\|`
			`\|EDIT\|Group 1\|MYLIB\|MYDS\|VAR_5\|1\|1\|`
feat: column level security 2022-05-18 12:03:14 +00:00

Update column-level-security.md 2022-05-20 15:26:02 +00:00			If a user is in Group 1, and viewing `MYLIB.MYDS` in EDIT mode, all columns will be visible but only the following columns will be editable:
feat: column level security 2022-05-18 12:03:14 +00:00
			`* VAR_1`
			`* VAR_2`

Update column-level-security.md 2022-05-20 15:26:02 +00:00			`The user will be unable to add or delete rows.`

			If the user is in both Group 1 AND Group 2, viewing `MYLIB.MYDS` in VIEW mode, only the following columns will be visible:
feat: column level security 2022-05-18 12:03:14 +00:00
			`* VAR_2`
			`* VAR_3`
Update column-level-security.md 2022-05-20 15:26:02 +00:00			`* VAR_4`