The SAS implementation of roles enables you to manage the availability of application features such as menu items, plug-ins, and buttons. For example, your role memberships determine whether you can see the Server Manager plug-in (in SAS Management Console), compare data (in SAS Enterprise Guide), or directly open an information map (in SAS Web Report Studio).
Here are some key points about the SAS implementation of roles:
Roles are an entirely separate concept from permissions. In general, roles don't affect access to metadata or data. An exception is that the unrestricted role provides irrevocable grants of all permissions in the metadata authorization layer. This enables unrestricted users to manage all metadata.
Not all applications have roles. Applications that have roles include the SAS Add-In for Microsoft Office, SAS Enterprise Guide, SAS Management Console, and SAS Web Report Studio.
Not all application features are under role management. An application feature that is under role management is called a capability. Each application that supports roles provides a fixed set of capabilities. You can't convert a feature that isn't a capability into a capability. However, if you add custom tasks or develop custom plug-ins, you can register those features as capabilities.
All capabilities are additive. There are no capabilities that limit what you can do.
Capabilities can be categorized as follows:
An explicit capability can be incrementally added to or removed from any role (other than the unrestricted role, which always provides all explicit capabilities). Most roles have explicit capabilities.
An implicit capability is permanently bound to a certain role. The metadata server's roles provide implicit capabilities. For example, the user administration role provides the capability to add users, but there is no explicit Create Users capability.
A contributed capability is an implicit or explicit capability that is assigned through role aggregation. If you designate one role as a contributing role for another role, all of the first role's capabilities become contributed capabilities for the second role.
You can't assign permissions to a role or capabilities to a group.
A user can't temporarily assume or relinquish a role; all of a user's roles are active at all times. Administrators can have two user definitions so they can function as regular users some of the time. See How to Create a Dual User.
If you need detailed information about an application's capabilities and default roles, see the administrative documentation for that application.