?>Array ( [id] => 4 ) IT Audit: Scan for Unauthorized PII in a User's Personal Caslib - WeAreCAS
accessControl accessPersonalCaslibs

IT Audit: Scan for Unauthorized PII in a User's Personal Caslib

Scénario de test & Cas d'usage

Contexte Métier

An internal data governance policy prohibits storing sensitive Personally Identifiable Information (PII) in personal CAS workspaces. An IT administrator must perform a spot audit on a specific user's personal caslib (`CASUSER(finance_user)`) to check for non-compliant data without disrupting the user's session.
Préparation des Données

Simulate a scenario where 'finance_user' has loaded two tables into their personal caslib: one compliant ('quarterly_sales') and one non-compliant ('employee_pii') containing sensitive data. This setup requires admin rights to place tables in another user's caslib.

Copié !
1/* Data setup requires admin privileges */
2PROC CAS;
3 /* Simulate finance_user's data */
4 DATA casuser(finance_user).employee_pii(promote=yes);
5 LENGTH ssn $11 name $50;
6 ssn='123-45-678'; name='John Doe'; OUTPUT;
7 ssn='987-65-432'; name='Jane Smith'; OUTPUT;
8 RUN;
9 
10 DATA casuser(finance_user).quarterly_sales(promote=yes);
11 LENGTH product $20;
12 product='Widget A'; sales=15000; OUTPUT;
13 product='Widget B'; sales=22000; OUTPUT;
14 RUN;
15QUIT;

Étapes de réalisation

1
Baseline Check: As an administrator, attempt to list tables in 'CASUSER(finance_user)'. This step is expected to fail with an authorization error, proving that access is initially restricted.
Copié !
1PROC CAS;
2 /* This will fail as access is not yet granted */
3 TABLE.tableInfo / caslib="CASUSER(finance_user)";
4RUN;
2
Privilege Escalation: Execute the accessPersonalCaslibs action to gain administrative access to all personal caslibs for the current session.
Copié !
1PROC CAS;
2 ACCESSCONTROL.accessPersonalCaslibs;
3RUN;
3
Verification: Re-run the table.tableInfo action on 'CASUSER(finance_user)'. This time, the action should succeed, returning a list of tables.
Copié !
1PROC CAS;
2 /* This should now succeed */
3 TABLE.tableInfo / caslib="CASUSER(finance_user)";
4RUN;
4
Audit Execution: Fetch a few rows from the suspicious 'employee_pii' table to confirm its contents, completing the audit.
Copié !
1PROC CAS;
2 TABLE.fetch / TABLE={caslib="CASUSER(finance_user)", name="employee_pii"}, to=5;
3RUN;

Résultat Attendu

The administrator successfully lists and inspects tables within another user's personal caslib after executing the action. The initial attempt fails due to lack of permissions, while the subsequent attempts succeed, confirming the action correctly elevates privileges for targeted administrative tasks.

Voir la documentation technique de accessPersonalCaslibs
Copyright © WeAreCAS 2025