Identifying Additional Permissions for Users¶
Altair SLC Hub users will most frequently access functionality from an external tool rather than using the Hub Portal; typically this would be connecting to a Hub instance from Workbench. Connecting in the manner will not provide users with feedback if they attempt to use functionality for which permission has not been granted.
Altair SLC Hub permissions control various aspects of the access to and use of hub, and a user need to be the member of multiple hub user groups to provide the access they require. When a user attempts to access functionality for which they do not have permission, that action is recorded in the Access Control log. If the user is attempting to access functionality for which they should have permission, the hub administrator can use the Access Control Log to track this activity and modify the user's permissions as required.
The Access Control log is available in the Hub Administration section of the Hub Portal. This view provides a list of all interaction for all users with the hub instance. The view can be filtered to show the particular interactions of interest.
A hub installation contains a set of default groups that provide different levels of permissions for the functional areas of hub. For example, to use defined libraries in a SAS language program, a user should be a member of the HubUsers
group to access the Hub instance and DataAccessConsumers
to view and use the defined libraries.
The reference of these groups and their permissions can be used to identify the required group or groups for other permissions, see Default groups.
Example: Add Permissions to run SAS language programs
Add the ability to run SAS language programs for a Workbench user (HubTestUser
) who can access hub (create a link session), but cannot run a program (access to the /LinkSessions
Object).
Where the user has attempted to run a SAS language program and failed, the hub administrator will need to make changes to their permissions.
- In the hub portal, launch Hub Administration and open the Access Control Log.
By default, the log displays the last 25 interactions with hub which might not contain details of the failed attempt. - Using the log filters, restrict the view to the required user (
HubTestUser
) and the Decision made to Deny. This will show all actions made by the user for which they do not have permission:
- Select the most recent log entry that denies access to the
/LinkSessions
object. Click the three dots and click Test. - In the Access Control Test window, click Test Access to confirm that the permission is not available:
- Click Groups in the menu and search for the
LinkSessionUsers
group. This group provides the associated users with the Create action for the/LinkSessions
object. - In Group members, click Add. In the Add members dialog, enter the user name as displayed in the Access Control log (for example
HubTestUser
), in the search field and click Add next to the user's name in the list. - Close the dialog and click Access Control Log in the menu.
In the log, filter to show the same deny decision located in step 2. Select the entry for the/linksessions
object and test the connection. The Access Control Test shows the user now has the required permission: