Implementing Identity-Driven
Row-Level Security
at RBS
Using SAS® Visual Analytics
Paul Johnson - Sopra Steria
Background
The Task at Hand! Secure data at the identity level
Not rely on access control templates
Sourced from our security database
Avoid data duplication
VA Environment
BI
ACT
VA7.1 1,300
1TB
3.5TB
2015
RLS
2016
The Solution? Identity-Driven Row-Level Security
Identity-Driven RLS in Visual Analytics is
• Where the same VA query returns a different set of rows based on the
data access privileges of each user
• The automatic resolution of a user identity in a VA query
• The matching of a user identity value to a LASR column
• A conditional grant read permission on a LASR table
• A process facilitated by SAS Metadata canonical tables
RLS_COLUMN IN (‘SUB::SAS.IdentityGroups’)
RLS_COLUMN CONTAINS (‘SUB::SAS.Userid’)
RLS Framework: S E C U R E
Identity Group - Dimensions
Source and Target Data
RLS Column to VA Table
VA Table to LASR Server
VA Table Read Permissions
Permissions are Enforced
Extract
Source
Concatenate
Upload
Revise
Ensure
Maps
to
Data
Columns
RLS_
Column
Reporting
Marts
Security
Database
Sync Identity
Metadata
RLS_COLUMN IN
(‘SUB::SAS.IdentityGroups’)
Grant Read
ACT
Data
Columns
RLS_
Column
Data
Columns
RLS_
Column
Identity Group – Cost Centres
Source and Target Data
RLS Column to VA Table
VA Table to LASR Server
VA Table Read Permissions
Permissions are Enforced
Extract
Source
Concatenate
Upload
Revise
Ensure
Maps
to
Data
Columns
RLS_
Column
Reporting
Marts
Security
Database
Sync Identity
Metadata
Grant Read
ACT
Data
Columns
RLS_
Column
Data
Columns
RLS_COST
RLS_CC_CENTRAL
RLS_CC_SOUTH
RLS_CC_NORTH
Cost Centre
Groups
RLS_COST IN
(‘SUB::SAS.IdentityGroups’)
RLS Framework: Cost Centre Example
Identity Group – Industry
Sectors
Source and Target Data
RLS Column to VA Table
VA Table to LASR Server
VA Table Read Permissions
Permissions are Enforced
Extract
Source
Concatenate
Upload
Revise
Ensure
Maps
to
Data
Columns
RLS_
Column
Reporting
Marts
Security
Database
Sync Identity
Metadata
Grant Read
ACT
Data
Columns
RLS_
Column
Data
Columns
RLS_SECT
RLS_SECT_MEDIA
RLS_SECT_HEALTH
RLS_SECT_BANKS
Industry
Sector Groups
RLS_SECT IN
(‘SUB::SAS.IdentityGroups’)
RLS Framework: Industry Sector Example
User Identities
Source and Target Data
RLS Column to VA Table
VA Table to LASR Server
VA Table Read Permissions
Permissions are Enforced
Extract
Source
Concatenate
Upload
Revise
Ensure
Maps
to
Data
Columns
RLS_
Column
Reporting
Marts
Active
Directory
Sync Identity
Metadata
Grant Read
ACT
Data
Columns
RLS_
Column
Data
Columns
USERID
WALT@DISNEY
TOM@DISNEY
JERRY@DISNEY
User Identities
RLS Framework: User Identity Example
USERID CONTAINS
(‘SUB::SAS.Userid’)
Main Challenges Encountered
But what about the Impact on the Metadata Server?
Hmmm.. Parent-Child relationships!
So where’s the IN operator?
How about Multiple Identity Syncs?
Current Status and Benefits
Enhanced authorization
Less reliance on ACT’s
Security consistency
Stakeholder assurance
Reduced duplication
Low administration
Compliance