From 2207d1b027e6365c14a83a53b352f5292ca4c95c Mon Sep 17 00:00:00 2001
From: munja <allnbwe@gmail.com>
Date: Wed, 18 May 2022 13:03:14 +0100
Subject: [PATCH] feat: column level security

---
 docs/column-level-security.md | 62 +++++++++++++++++++++++++++++++++++
 mkdocs.yml                    |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 docs/column-level-security.md

diff --git a/docs/column-level-security.md b/docs/column-level-security.md
new file mode 100644
index 0000000..cdac265
--- /dev/null
+++ b/docs/column-level-security.md
@@ -0,0 +1,62 @@
+---
+layout: article
+title: Column Level Security
+description: Restrict tables in SAS such that users can only view or edit specific columns according to their group membership.
+og_image:  https://docs.datacontroller.io/img/rls_table.png
+---
+
+# Column Level Security
+
+Column level security is implemented by mapping _allowed_ columns to a list of groups. 
+
+## Configuration
+
+The columns in MPE_COLUMN_LEVEL_SECURITY should be configured as follows:
+
+### CLS_SCOPE
+Determines whether the rule applies to the VIEW page, the EDIT page, or ALL pages.  
+
+- When applied to VIEW, then only the allowed columns are visible.
+- When applied to EDIT, then only the allowed columns are _editable_ (the remaining columns are read-only, and visible)
+
+### CLS_GROUP
+The SAS Group to which the rule applies.  The user could also be a member of a [DC group](/dcc-groups). 
+
+ - If a user is in ANY of the groups, the columns will be restricted.  
+ - If a user is in NONE of the groups, no restrictions apply (all columns available).
+ - If a user is in MULTIPLE groups, they will see all allowed columns across all groups.
+
+### CLS_LIBREF
+The library of the target table against which the security rule will be applied
+
+### CLS_TABLE
+The target table against which the security rule will be applied
+
+### CLS_VARIABLE_NM
+This is the name of the variable against which the security rule will be applied
+
+### CLS_ACTIVE
+If you would like this rule to be applied, be sure this value is set to 1.
+
+
+## Example Config
+Example values as follows:
+
+|CLS_SCOPE:$4|CLS_GROUP:$64|CLS_LIBREF:$8| CLS_TABLE:$32|CLS_VARIABLE_NM:$32|CLS_ACTIVE:8.|
+|---|---|---|---|---|---|---|---|---|---|---|
+|EDIT|Group 1|MYLIB|MYDS|VAR_1|1|
+|ALL|Group 1|MYLIB|MYDS|VAR_2|1|
+|ALL|Group 2|MYLIB|MYDS|VAR_3|1|
+|VIEW|Group 1|MYLIB|MYDS|VAR_4|1|
+
+
+If a user is in Group 1, and viewing `MYLIB.MYDS` in EDIT mode, all columns will be visible but only the following columns will be editable:
+
+* VAR_1
+* VAR_2
+
+If the user is in both Group 1 AND Group 2, viewing `MYLIB.MYDS` in VIEW mode, only the following columns will be visible:
+
+* VAR_2
+* VAR_3
+* VAR_4
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index 2a9d0c8..123ef99 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -19,6 +19,7 @@ nav:
     - MPE_DATASTATUS_LIBS: mpe_datastatus_libs.md
     - MPE_DATASTATUS_TABS: mpe_datastatus_tabs.md
 - Configuration:
+    - Column Level Security: column-level-security.md
     - Dates / Datetimes: dcc-dates.md
     - Dynamic Cell Dropdown: dynamic-cell-dropdown.md
     - Emails: emails.md