?> assumeRole - WeAreCAS
accessControl

assumeRole

#set_accesscontrol#security#admin

Description

The assumeRole action allows a user to temporarily adopt a specific administrative role within the CAS session. This is a powerful feature for administrators who need to perform tasks requiring elevated permissions without permanently changing their user rights. By assuming a role like 'SUPERUSER', 'DATA', or 'ACTION', the user gains unrestricted access to specific areas of the CAS server for the duration of the role assumption. This is crucial for managing access controls, data, or actions securely and efficiently.

accessControl.assumeRole <result=results> <status=rc> / adminRole="ACTION" | "DATA" | "SUPERUSER";
Settings
ParameterDescription
adminRoleSpecifies the administrative role to assume. 'ACTION' provides unrestricted access to actions and action sets. 'DATA' provides unrestricted access to caslibs, tables, and columns. 'SUPERUSER' combines the privileges of both ACTION and DATA roles, and adds the ability to manage roles and paths.
Data Preparation
No Data Creation Needed

The `assumeRole` action does not directly interact with or create data tables. It is an administrative action used to manage session permissions.

/* No data creation code is necessary for this action. */

Examples

This example demonstrates how to assume the 'SUPERUSER' role. This grants the highest level of permissions for the current session.

SAS® / CAS Code
Copied!
1PROC CAS;
2 ACCESSCONTROL.assumeRole / adminRole='SUPERUSER';
3RUN;
Result :
The action will execute and, if successful, the user's session will have Superuser privileges. A confirmation note is typically printed in the SAS log.

This example shows how to first assume the 'DATA' administrator role to perform data-related administrative tasks, and then how to drop that role to revert to the original permissions.

SAS® / CAS Code
Copied!
1PROC CAS;
2 /* Assume the DATA role to manage data access controls */
3 ACCESSCONTROL.assumeRole / adminRole='DATA';
4 PRINT 'Current session has assumed the DATA role.';
5 
6 /* ... perform administrative tasks on caslibs or tables ... */
7 
8 /* Drop the assumed role to return to normal permissions */
9 ACCESSCONTROL.dropRole / adminRole='DATA';
10 PRINT 'The DATA role has been dropped.';
11RUN;
Result :
The log will first show a confirmation of assuming the 'DATA' role. After the administrative tasks are performed, a second confirmation will appear, indicating that the 'DATA' role has been dropped and the session has returned to its original permission level.

This example illustrates how permissions change by first checking authorization for a specific action, then assuming the 'ACTION' role, and finally re-checking the authorization. This is useful for verifying the effect of `assumeRole`.

SAS® / CAS Code
Copied!
1PROC CAS;
2 /* 1. Check if the user is authorized for a specific action before assuming a role */
3 ACCESSCONTROL.isAuthorizedActions / actions={{name='serverstatus', actionSet='builtins'}};
4 
5 /* 2. Assume the ACTION role */
6 ACCESSCONTROL.assumeRole / adminRole='ACTION';
7 
8 /* 3. Check authorization again to see the change in permissions */
9 ACCESSCONTROL.isAuthorizedActions / actions={{name='serverstatus', actionSet='builtins'}};
10 
11 /* 4. Drop the role to clean up the session state */
12 ACCESSCONTROL.dropRole / adminRole='ACTION';
13RUN;
Result :
The output will show two tables. The first `isAuthorizedActions` result might show 'false' for authorization if the user does not normally have permission. After assuming the 'ACTION' role, the second result for the same check will show 'true', demonstrating the elevated privileges.

FAQ

What is the purpose of the assumeRole action?
What are the different administrative roles available in the assumeRole action?
What privileges does the 'SUPERUSER' role grant?
What is the default value for the 'adminRole' parameter?
How does the 'ACTION' role differ from the 'DATA' role?
Copyright © WeAreCAS 2025