Users, Groups, and Roles

Role Definitions

Roles [icon] manage the visibility of application features such as menu items, plug-ins, and buttons. In the initial configuration, registered users have almost all nonadministrative capabilities. If you want to alter the initial configuration, use either or both of these techniques:

To increase or reduce the availability of a role, adjust a role's membership on its Members tab. For example, on the Enterprise Guide: Advanced role's Members tab, you might remove PUBLIC and add a few individual power users (or a custom group of power users). Any capabilities that are provided exclusively by the Enterprise Guide: Advanced role will no longer be available to other restricted users.

Initially, the other SAS Enterprise Guide roles have no members, so narrowing the membership of this role limits the availability of all capabilities. To preserve the availability of the capabilities of the less privileged roles, assign a group (such as PUBLIC) as the member of those roles.
To redistribute capabilities, change the selections on a role's Capabilities tab or assign contributing roles on a role's Contributing Roles tab. For example, on the Management Console: Content Management role's Capabilities tab, you might clear the User Manager check box. Only users who get this capability from another role (such as Management Console: Advanced) or are unrestricted will be able to see this plug-in.

Initially, some capability assignments are redundant across an application's roles. For example, SAS Web Report Studio's basic print capability is provided by all of that application's predefined roles. To prevent someone from having a capability, make sure they aren't in any role that provides that capability.

The following list and display highlight important details:

Not all application features are under role management. Not all applications have roles.
Roles and groups serve distinct purposes. You can't assign permissions to a role or capabilities to a group.
Don't change the Name of any of the predefined roles.
The Members tab doesn't show indirect memberships. For example, the SAS Administrator is a member of the Metadata Server: Operation role, but the SAS Administrator is not listed on that role's Members tab. Only the direct member (SAS Administrators) is listed.
The metadata server roles have implicit capabilities. For example, members of the Metadata Server: User Administration role can create new users, but there is no Create Users check box on any Capabilities tab.
The relationships that you create using the Contributing Roles tab are monolithic; you can't deselect a contributed capability. These relationships are also dynamic; a change to the capabilities of one role affects any roles to which the first role contributes its capabilities.
There are no negative capabilities (capabilities that limit what someone can do). You can't deny a capability to anyone.
A role's Authorization tab does not determine what that role can do. This tab can affect the ability of other users to modify or delete this role.

A Role Definition

[A Role Definition]

	Roles Overview
	Main Administrative Roles
	How to Assign Capabilities to Roles
	Ensure Availability of Application Features
	Differences Between Roles and Groups
	Who Can Manage Users, Groups, and Roles?