Skip to content

Access Control Reference

Users and Groups and Roles

Principals (simple user or group information)

Task Object Action Comments
Access basic principal information for user or group /User/{name} or /Group/{name} ReadSimple
Query simple user or group information /User/{name} or /Group/{name} on each entity in result set ReadSimple Only those principals passing access control check are returned

Users

Users are not namespaced entities, so all access control checks for operations relating to users are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.

Task Object Action Comments
Direct creation of a new user (not by invitation email) /Users/{userName} Create
Create user by invitation /Users/{userName} Create
Return user entity for current user No specific access control check
Access a user entity /Users/{userName} Read
Delete a user entity /Users/{userName} Delete
Change the basic properties of a user (not membership information) /Users/{userName} Update For a change of username, check is performed on both new and old names
Query the groups of a user /Users/{userName}/groups Read
Query users /Users/{userName} for each user in result set Read Only those entities passing the access control check are returned

Groups

Groups are not namespaced entities, so all access control checks for operations relating to groups are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.

Task Object Action Comments
Creation of a new Group /Groups/{name} Create
Access a group entity /Groups/{name} Read
Delete a group entity /Groups/{name} Delete
Change the basic properties of a group (not membership information) /Groups/{name} Update For a rename, check is performed on both new and old names
Query the memberships of a group /Groups/{name}/members Read
Add a member to a group /Groups/{name}/members Update
Delete a member from a group /Groups/{name}/members Update
Query groups /Groups/{name} for each group in result set Read Only those entities passing the access control check are returned

Altair SLC Hub provides a default set of groups that can be used to add additional permissions for users. For a list of these groups and their associated roles see Default Altair SLC Hub Groups .

Roles

Roles themselves are not namespaced entities, so all access control checks for operations relating to users are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.

Task Object Action Comments
Creation of a Role /Roles/{name} Create
Access a role /Roles/{name} Read
Delete a role /Roles/{name} Delete
Update basic properties of a role (not role bindings) /Roles/{name} Update In the case of a rename, check is performed on both new and old names
Query roles /Roles/{name} for each role in result set Read
Get a specific role /Roles/{name} Read

Role Bindings

The binding of a role to a user or group can be in the context of a namespace, or it can apply to all namespaces. All of these access control requests are performed in the context of the namespace associate with the role binding.

Task Object Action Comments
Create a role binding /RoleBindings Create Request is based on the namespace in which the binding is made
Delete a role binding /RoleBindings Delete Request is based on the namespace in which the binding is made
Query role bindings /RoleBindings Read A check is performed for each namespace referenced by a role binding in the result set, role bindings are only returned for those namespaces for which that check is successful
Bulk delete of role bindings /RoleBindings Delete A check is performed for each namespace referenced by a role binding being deleted. All checks are required to pass for the delete to be authorized

Administration

Namespaces

Whilst namespaces are not themselves namespaced, the access control requests for operations on namespaces work slightly differently. Rather than the access control requests being based on an object string of /Namespaces/{name} with no namespace specified, the access control requests are based on a fixed object string of /Namespace, but the access control request is made in the context of the given namespace.

Task Object Action Comments
Creation of a new namespace /Namespace Create Request is made in the context of the given namespace
Access a namespace entity /Namespace Read Request is made in the context of the given namespace
Delete a namespaces entity /Namespace Delete Request is made in the context of the given namespace
Change the properties of a namespace /Namespace Update Request is made in the context of the given namespace
Query namespaces /Namespace Read Request is made in the context of each namespace in the result set, and only those entities passing the access control check are returned
Get the default namespace /Namespace Read Check is performed for whatever namespace is currently the default
Set the default namespace /Namespace Update An Update check is performed on the new and old default namespaces (this equates to updating the isDefault property on both entities)

Execution Profiles

Execution profiles are not namespaced entities, so all access control checks are performed without a namespace specified.

Task Object Action Comments
Create a new execution profile /ExecutionProfiles/{name} Create
Access an execution profile entity /ExecutionProfiles/{name} Read
Make use of an execution profile to run a workload /ExecutionProfiles/{name} Use
Delete an execution profile entity /ExecutionProfiles/{name} Delete
Change the properties of an execution profile /ExecutionProfiles/{name} Update For a rename, check is performed on both new and old names
Query execution profiles /ExecutionProfiles/{name} for each entity in the result set Read Only those entities passing the access control check are returned
Get the default execution profile for a namespace /ExecutionProfiles/{name} Read Check is performed for whatever profile is currently the default

Execution Profile Bindings

In order to be used within a namespace, an execution profile has to be bound to that namespace. This involves creating an execution profile binding. The access control for execution profile bindings is all carried out with the /ExecutionProfileBindings object string, and the access control checks are performed in the context of the namespace that is the target of the binding.

Task Object Action Comments
Create a binding to a namespace /ExecutionProfileBindings Create Check performed in the context of the target namespace
Remove a binding to a namespace /ExecutionProfileBindings Delete Check performed in the context of the target namespace
Set a profile as the default for a namespace /ExecutionProfileBindings Update Check performed in the context of the target namespace
List execution profile bindings /ExecutionProfileBindings Read Check performed for each distinct namespace. Only bindings that pass the access control check are returned

Cluster Nodes

Cluster nodes are not namespaced entities, so all access control checks are performed without a namespace specified.

Task Object Action Comments
List cluster nodes /ClusterNodes List
Return details of a cluster node /ClusterNodes/{nodeId} Read
Return stats for a cluster node /ClusterNodes/{nodeId} Read
Return a list of all distinct attribute names on cluster nodes /ClusterNodes List
Return a list of all distinct node labels on cluster nodes /ClusterNodes List

Cluster Workloads

Cluster workloads are not namespaced entities, so all access control checks are performed without a namespace specified.

Task Object Action Comments
List running jobs /ClusterJobs Read
Get details of a running job /ClusterJobs Read
View executions of a job /ClusterJobs Read
View log of a job executions /ClusterJobs Read
Cancel a job execution /ClusterJobs Update
Restart a job execution /ClusterJobs Update
View filesystem for a job /ClusterJobs Read

Data Access

Library Definitions

Library Definitions are namespaced entities, so all access control requests are performed in the context of the containing namespace.

Task Object Action Comments
Creation of a library definition /LibraryDefinitions/{name} Create
Deletion of a library definition /LibraryDefinitions/{name} Delete
Update a library definition /LibraryDefinitions/{name} Update For a rename, or a move to a different namespace, both new and old names are checked
Get a library definition /LibraryDefinitions/{name} Read
Use a library definition in SAS language program /LibraryDefinitions/{name} Read
Query library definitions /LibraryDefinitions/{name} for each matching result Read Only those entities for which the access control check passes are returned
Create a libname binding /LibraryDefinitions/{name} CreateBinding
Delete a libname binding /LibraryDefinitions/{name} DeleteBinding
Update a libname binding /LibraryDefinitions/{name} UpdateBinding Check performed on new and old Library Definition in the case of a binding being moved
List bindings of a library definition /LibraryDefinitions/{name} ListBindings
Get specific libname binding /LibraryDefinitions/{name} GetBinding
Resolve the list of assigned libnames for a user /LibraryDefinitions/{name} Read Access control check is performed for all library definitions for which there is a binding to the user or one of the groups the user is a member of. Libname bindings are only returned for those library definitions for which the access control check is successful.

Authentication Domains

Authentication Domains are namespaced entities, so all access control requests are performed in the context of the containing namespace.

Task Object Action Comments
Creation of an auth domain /AuthDomains/{name} Create
Deletion of an auth domain /AuthDomains/{name} Delete
Update an auth domain /AuthDomains/{name} Update For a rename, or a move to a different namespace, both new and old names are checked
Get an auth domain /AuthDomains/{name} Read
Query auth domains /AuthDomains/{name} for each matching result Read Only those entities for which the access control check passes are returned
Create a credential /AuthDomains/{name} CreateCredential A user can create credentials for themselves if the allowPersonalCredentials field is set on an auth domain.
Delete a credential /AuthDomains/{name} DeleteCredential A user can delete credentials explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain.
Update a credential /AuthDomains/{name} UpdateCredential Check performed on new and old auth domain in the case of a credential being moved. A user can edit a credential explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain.
Change the rank of a credential /AuthDomains/{name} UpdateCredential A user can edit a credential explicitly assigned to their user if the allowPersonalCredentials field is set on an auth domain.
Query credentials for an auth domain /AuthDomains/{name} ListCredentials
A user listing credentials bound to their user or any group they are a member of No access control check is made
Get a specific credential /AuthDomains/{name} GetCredential
Use an auth domain in a SAS language program No specific access control check made. The only credentials returned are the ones associated with the user or one of the groups they are a member of

Deployment Services

Artifact Repositories

Artifact repositories are not namespaced entities. Role bindings must therefore be for all namespaces to be effective.

Task Object Action Comments
Create a new artifact repository /ArtifactRepositories/{name} Create
Update the definition of an artifact repository /ArtifactRepositories/{name} Update
Delete artifact repository /ArtifactRepositories/{name} Delete
Retrieve the definition of an artifact repository /ArtifactRepositories/{name} Read
List artifact repositories /ArtifactRepositories/{name} Read Only those entities for which the access control check passes are returned

Artifacts

Task Object Action Comments
Upload a new artifact to a repository /Artifacts/{repoName} Upload
Replace an existing artifact in a repository /Artifacts/{repoName} Upload, Delete
Delete an artifact from a repository /Artifacts/{repoName} Delete
Download an artifact from a repository /Artifacts/{repoName} Read Also requires Read permission for /ArtifactRepositories/{repoName}
Query artifacts /ArtifactRepositories/{repoName} Read Only those entities for which the access control check passes are returned
Bulk delete artifacts /Artifacts/{repoName} Delete

Deployments

Deployments are namespaced entities, so any access control checks are performed in the context of the containing namespace.

Task Object Action Comments
Create a new Deployment /Ondemand/Deployments/{deploymentPath} Create
Delete a Deployment /Ondemand/Deployments/{deploymentPath} Delete
Upate a Deployment /Ondemand/Deployments/{deploymentPath} Update In the case of the deployment path being changed, check is performed on the old and the new paths.
Read a Deployment definition /Ondemand/Deployments/{deploymentPath} Read
Query Deployments /Ondemand/Deployments/{deploymentPath} on any deployment in the result set Read Only those entities for which the access control check passes are returned

Deployed program directory entries

The directory entries that result from deployment a program package are created in the same namespace as the deployment entity.

Task Object Action Comments
Query program directory /Directory/{fullProgramPath} on any program in the result set Read Only those entities for which the access control check passes are returned
Run a program from the directory /Directory/{fullProgramPath} Run

Batch job executions

Batch job executions are namespaced entities. They are automatically created in the same namespace as the program directory entry from which they are created.

A batch program execution has an owner, the user who submitted the program and therefore created the execution. A user always has permission for any action on any batch executions they own, other than to view the job execution log.

Task Object Action Comments
Submit a job /Directory/{fullProgramPath} Run
Repeat execution of a job /Directory/{fullProgramPath} Run
Get a job owned by another user /Jobs Read
Delete a job owned by another user /Jobs Delete
Cancel a job owned by another user /Jobs Cancel
View execution log of a job /Jobs ViewLog
List results of a job owned by another user /Jobs Read
View a result from a job owned by another user /Jobs Read
A user listing their own jobs No specific access control check made
Query jobs /Jobs on all jobs in the result set Read

Pipelines

Pipelines are namespaced entities, so in general all access control checks are performed in the context of the containing namespace

Pipelines and Pipeline Folders

Pipelines and folders form a hierarchy much like a file system.

Task Object Action Comments
Create a pipeline or pipeline folder /Pipelines/{path} Create
Delete a pipeline or pipeline folder /Pipelines/{path} Delete Only one access control check is carried out, on the entity being deleted. In the case of a folder, no further access control checks are performed on any nested entities.
Return a specific pipeline or folder /Pipelines/{path} Read
Submit a pipeline for execution /Pipelines/{path} Submit
/PipelineRuns Create
Update the definition of a pipeline /Pipelines/{path} Update In the case of a rename, or moving the pipeline to a new folder, or namespace, checks are carried out with both new and old paths

Triggers

Task Object Action Comments
Create a trigger for a pipeline /Pipelines/{path} CreateTrigger
Update the definition of a trigger /Pipelines/{path} UpdateTrigger
Read the definition of a trigger /Pipelines/{path} GetTrigger
Delete a trigger for a pipeline /Pipelines/{path} DeleteTrigger
List triggers for a pipeline /Pipelines/{path} ListTriggers

Pipeline Runs

Pipeline runs are namespaced entities. They are automatically created in the same namespace as the pipeline from which they are created.

A pipeline run has an owner, the user who submitted the pipeline and therefore created the run. A user always has permission for any action on any pipeline runs they own.

Task Object Action Comments
Get pipeline run details (pipeline owned by another user) /PipelineRuns Read
Get pipeline run status (pipeline owned by another user) /PipelineRuns Read
Create a pipeline run from a supplied pipeline definition /PipelineRuns Create
Delete a pipeline run owned by another user /PipelineRuns Delete
Cancel a pipeline run owned by another user /PipelineRuns Cancel
Get execution log of run owned by another user /PipelineRuns Read
List the available results of run owned by another user /PipelineRuns Read
Return a node result of a run owned by another user /PipelineRuns Read
List pipeline runs /PipelineRuns for each distinct namespace in the query result List Results are only returned for those namespaces for which the access control check succeeds
User listing their own pipeline runs No specific access control check